On the Complexity of Fair Coin Flipping

A two-party coin-flipping protocol is $\epsilon$-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than $\epsilon$. Cleve [STOC \u2786] showed that $r$-round $o(1/r)$-fair coin-flipping protocols do not exist. Awerbuch et al. [Manuscript \u2785] constructed a $\Theta(1/\sqrt{r})$-fair coin-flipping protocol, assuming the existence of one-way functions. Moran et al. [Journal of Cryptology \u2716] constructed an $r$-round coin-flipping protocol that is $\Theta(1/r)$-fair (thus matching the aforementioned lower bound of Cleve [STOC \u2786]), assuming the existence of oblivious transfer. The above gives rise to the intriguing question of whether oblivious transfer, or more generally ``public-key primitives\u27\u27, is required for an $o(1/\sqrt r)$-fair coin flipping. This question was partially answered by Dachman-Soled et al. [TCC \u2711] and Dachman-Soled et al. [TCC \u2714], who showed that restricted types of fully black-box reductions cannot establish $o(1/\sqrt r)$-fair coin-flipping protocols from one-way functions. In particular, for constant-round coin-flipping protocols, Dachman-Soled et al. showed that black-box techniques from one-way functions can only guarantee fairness of order $1/\sqrt{r}$. We make progress towards answering the above question by showing that, for any constant $r\in \mathbb N$, the existence of an $1/(c\cdot \sqrt{r})$-fair, $r$-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where $c$ denotes some universal constant (independent of $r$). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner et al. [FOCS \u2718] to facilitate a two-party variant of the recent attack of Beimel et al. [FOCS \u2718] on multi-party coin-flipping protocols

Fair Loss-Tolerant Quantum Coin Flipping

Coin flipping is a cryptographic primitive in which two spatially separated players, who in principle do not trust each other, wish to establish a common random bit. If we limit ourselves to classical communication, this task requires either assumptions on the computational power of the players or it requires them to send messages to each other with sufficient simultaneity to force their complete independence. Without such assumptions, all classical protocols are so that one dishonest player has complete control over the outcome. If we use quantum communication, on the other hand, protocols have been introduced that limit the maximal bias that dishonest players can produce. However, those protocols would be very difficult to implement in practice because they are susceptible to realistic losses on the quantum channel between the players or in their quantum memory and measurement apparatus. In this paper, we introduce a novel quantum protocol and we prove that it is completely impervious to loss. The protocol is fair in the sense that either player has the same probability of success in cheating attempts at biasing the outcome of the coin flip. We also give explicit and optimal cheating strategies for both players.Comment: 12 pages, 1 figure; various minor typos corrected in version

Serial composition of quantum coin-flipping, and bounds on cheat detection for bit-commitment

Quantum protocols for coin-flipping can be composed in series in such a way that a cheating party gains no extra advantage from using entanglement between different rounds. This composition principle applies to coin-flipping protocols with cheat sensitivity as well, and is used to derive two results: There are no quantum strong coin-flipping protocols with cheat sensitivity that is linear in the bias (or bit-commitment protocols with linear cheat detection) because these can be composed to produce strong coin-flipping with arbitrarily small bias. On the other hand, it appears that quadratic cheat detection cannot be composed in series to obtain even weak coin-flipping with arbitrarily small bias.Comment: 7 pages, REVTeX 4 (minor corrections in v2

Chances, counterfactuals and similarity

John Hawthorne in a recent paper takes issue with Lewisian accounts of counterfactuals, when relevant laws of nature are chancy. I respond to his arguments on behalf of the Lewisian, and conclude that while some can be rebutted, the case against the original Lewisian account is strong. I develop a neo-Lewisian account of what makes for closeness of worlds. I argue that my revised version avoids Hawthorne’s challenges. I argue that this is closer to the spirit of Lewis’s first (non-chancy) proposal than is Lewis’s own suggested modification

Teaching Bayesian Model Comparision with the Three-Sided Coin

In the present work we introduce the problem of determining the probability that a rotating and bouncing cylinder (i.e. flipped coin) will land and come to rest on its edge. We present this problem and analysis as a practical, nontrivial example to introduce the reader to Bayesian model comparison. Several models are presented, each of which take into consideration different physical aspects of the problem and the relative effects on the edge landing probability. The Bayesian formulation of model comparison is then used to compare the models and their predictive agreement with data from hand-flipped cylinders of several sizes